When should you promote HIPAA Awareness?


Ideally, there should be no need to promote HIPAA awareness, as employees would always be aware of HIPAA and acting in a HIPAA-compliant manner. However, in reality, memory fades and people need to be reminded of their obligations under HIPAA. With that in mind, when should you promote HIPAA awareness in a company? 

Any HIPAA covered entity (CE; that is, healthcare providers, health plans, and healthcare clearinghouses that all have access to individually-identifiable patient health information) must provide HIPAA training to anyone under their “direct control”. This includes volunteers or subcontractors; anyone that could come into contact with protected health information (PHI) needs to be versed in HIPAA compliance and what workplace protocols exist to prevent any HIPAA violations. Any Business Associates (BA) should also implement HIPAA training. 

There are many means of training employees, and HIPAA does not establish a curriculum for such training. It also does not establish a long-term timeframe for such training, and only stipulates that training at the start of an employment contract. It also states that training should be conducted regularly to ensure that employees remain HIPAA aware, but does not define what “regularly” is. It is generally accepted that industry best-practice is that training occur annually. Additional training sessions should be organized throughout the year if there have been any updates to either the workplace HIPAA protocols or HIPAA itself. 

Though there is no set curriculum, there are a few topics of importance that should be covered in HIPAA awareness training. Employees should be made aware of when they can and cannot use PHI, who they can disclose it to, how to safeguard PHI, and what the protocols are if a HIPAA violation is suspected. 

Aside from formal training sessions, there are other means of promoting HIPAA awareness in the workplace. This can include having posters around the workplace reminding employees not to share their passwords, or to lock their offices at night. Regular quizzes on HIPAA protocols can be an additional way of maintaining awareness amongst employees, as are newsletters. 

HIPAA is a broad act, and training can be tailored to specific roles. Such “job-specific” training can ensure that those conducting particular tasks, or handling particular types of PHI, have heightened awareness of the parts of HIPAA that apply to them, but also what the biggest threats are. Other forms of training, such as security-awareness training, should be given to all employees, irrespective of their role. 

There are a variety of ways that CEs can promote HIPAA awareness, but it should be a continuous process. Employees should regularly be made aware of their duties under HIPAA, as such awareness is an efficient and cost-effective way of preventing against the potential penalties that come with violating HIPAA.